Two teenagers hacked London's transit system, stole millions of records, and got 5.5 years

Owen Flowers was 17 when he called Transport for London’s IT help desk, pretended to be an employee, and asked someone to reset a password. The person on the other end complied. That single phone call gave Flowers and his co-conspirator Talha Jubayer a foothold into one of the world’s largest public transit networks — and they spent the next 16 hours live-streaming their work.

The breach, which unfolded on August 31, 2024, exposed data on millions of London commuters, disabled 148 technical systems, and cost the agency an estimated £29 million in direct damages plus another £10 million in lost revenue. On Thursday, both men — now 18 and 20 — were sentenced to five years and six months in prison at Woolwich Crown Court.

Flowers and Jubayer were members of Scattered Spider, a hacking collective blamed for dozens of attacks on retailers including Marks & Spencer and Co-op. Prosecutors described them as computer-obsessed loners who found community in cybercrime. The two confessed to targeting TfL in June of this year.

At 5 PM on that Saturday in August, the pair broke into TfL’s internal systems. Chat logs recovered from Telegram show them bragging about accessing the Oyster card user database. They then combed through the records looking for London celebrities, and attempted to extract bank account information. At one point, Flowers joked that “Scattered Spider is spinning a web on the London Underground.”

The intrusion was not a feat of sophisticated code. The two simply called TfL’s tech support line, impersonated employees, and convinced a help desk worker to reset a password for the account they were impersonating. Once inside, they moved laterally through the network for hours, livestreaming the entire operation.

TfL’s IT team eventually forced all employees to log out and physically disconnected the network from the internet to stop the bleeding. The agency warned that without that intervention, London’s public transit services could have faced widespread disruptions. The Dial-a-Ride service for elderly and disabled residents was among the services severely impacted.

The stolen database — potentially containing records of up to 10 million passengers — continues to circulate among criminal groups. All 27,000 TfL employees had to visit offices in person to reset their passwords.

The National Crime Agency (NCA) said the case highlights a growing national security threat: British teenagers radicalized into cybercrime from their bedrooms. “The online world can expose young people to harmful influences and criminal groups beyond their front door,” said Paul Foster, deputy director of the NCA’s National Cyber Crime Unit. “Parents, carers, educators, tech companies, law enforcement — all of society has a responsibility to protect young people online.”

Flowers rarely left his bedroom. He was arrested in September 2024 — and arrest footage shows him laughing as officers took him away. During the raid, investigators discovered that Flowers was simultaneously hacking two U.S. healthcare providers. Chat logs revealed he joked about one attack potentially killing a 90-year-old patient on life support. He eventually pleaded guilty to hacking the U.S. medical facilities alongside the TfL breach. Police also seized roughly £1 million in cryptocurrency from Flowers.

Jubayer was already on law enforcement’s radar. The son of Bangladeshi immigrants, he received his first laptop at age 10 and taught himself to code. By 13, he was communicating with online criminals. He was first arrested at 14 in February 2021. In 2023, as a minor, he received a youth rehabilitation order for his role in Lapsus$, a hacking group that had targeted Nvidia and British Telecom. British media was legally barred from naming him at the time due to his age.

By the time of the TfL hack, Jubayer already had 22 prior convictions for hacking, fraud, and harassment. The U.S. has also issued a warrant for his alleged involvement in attacks against 47 American victims, who prosecutors say paid Jubayer and his associates $115 million in ransom. Jubayer later became a known figure in The Com, an English-speaking cybercrime underground. After falling out with other members, his personal details and photographs were leaked online. Videos surfaced appearing to show him being kidnapped and beaten — though some speculated he staged the scenes himself.

While awaiting trial in prison, both men were caught with contraband phones. Messages recovered from those devices showed they were still discussing and planning future cyberattacks from behind bars.

Judge Turner noted during sentencing that both offenders were young at the time of the crimes and had been diagnosed with autism, which he cited as mitigating factors.

Cybersecurity analyst Alison Nixon said that while the arrests have “significantly weakened and disrupted” Scattered Spider, sentences alone are unlikely to deter more teenagers from following the same path. “Policymakers must treat this like a violent youth gang problem,” she said. “The gang culture glorifies destruction of society and seeks to inflict maximum harm on victims.”